Request for help debugging screen problem

Shaddy Baddah helium@shaddybaddah.name
Fri Feb 5 15:58:00 GMT 2010


Hi Corinna,

On 5/02/2010 3:44 PM, Corinna Vinschen wrote:
> On Feb  5 15:08, Shaddy Baddah wrote:
>>> Also, unless you have CYGWIN=server set, this code should not be used
>>> by the pty handler so I don't know why you're looking here.
>>
>> The answer to Corinna's question may answer that. The situation is
>> that I cannot reattach to a screen session from when logged in via
>> ssh  on a Vista or Windows 7 install(which has CYGWIN=server set,
>> right? To be honest, I have lost track of my tinkering with
>> involving cygserver (which wasn't setup when the problem initially
>> presented)). The same sessions can be attached by the same user
>> using a desktop mintty session. And in this particular case, the
>> user is non-Administrator.
>>
>>   The message gets clobbered by the screen clear, but if you use
>> strace, the error message seen is:
>>
>>    185   26254 [main] screen 4812 C:\software\cygwin\bin\screen.exe:
>> *** fatal error - couldn't initialize fd 0 for /dev/tty2
>>
>> The issue is almost definitely related to the privilege model on
>> these OSes, as as I expected, XP doesn't present with the same
>> problem. It also does not present if I ssh into the unlocked
>> Administrator account. It of course does present if logged into a
>> Administrators grouped user account other than the standard
>> Administrator user.
>
> Really?  The user token you're running under should be the elevated
> admin token with full admin rights, at least as long as you have
> logged in via ssh.  Hmm.  Except, if you have logged in via pubkey
> authentication and you're using the user context switch method 1:
> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
> In that case I don't know if the hand-crafted user token is really
> accepted in terms of mandatory integrity tests, even though the token
> contains the integrity SID.

I am logging using a password to an sshd configured using 
ssh-host-config. I login as a regular user only in the Users group, or 
an user in the Administrators group. Either way, the situation is the 
same. It is only as the true (unlocked) Administrator that I can 
reattach to screen sessions.

I thought it was common knowledge that logging in to an Administrtors 
grouped user in Vista or Windows 7 is not enough to defeat the (default) 
UAC, and you remain unelevated from a privilege standpoint. That is why 
I have no choice but to unlock the genuine Administrator (and rename it 
just in case).

>
>> The strace revealed that the int fhandler_tty_slave::open(int,
>> mode_t) called was returning EACCES in this way:
>>
>>     44   25864 [main] screen 4812 fhandler_tty_slave::open: cannot
>> dup handles via server. using old method.
>
> I'm glad to read that.  So it has nothing to do with cygserver.  On the
> contrary, is it possible that this works fine if cygserver is running in
> this case?
>
>>    116   25980 [main] screen 4812 fhandler_tty_slave::open: can't
>> open tty (2) handle process 3748
>>     33   26013 [main] screen 4812 seterrno_from_win_error: /cygdrive/z/shaddybaddah.name-projects/cygwin-master.git/winsup/cygwin/fhandler_tty.cc:556
>> windows error 5
>
> I assume the original screen pty has been opened by the same user?
> In which session type, ssh, local desktop, or remote desktop?
>
>>     29   26042 [main] screen 4812 geterrno_from_win_error: windows
>> error 5 == errno 13
>>     27   26069 [main] screen 4812 __set_errno: void
>> seterrno_from_win_error(const char*, int, DWORD):319 val 13
>>    185   26254 [main] screen 4812 C:\software\cygwin\bin\screen.exe:
>> *** fatal error - couldn't initialize fd 0 for /dev/tty2
>>
>> I was hoping to detect what the differences in privileges/tokens???
>> between the regular desktop sesssion, and the ssh session are. In
>> that way, I was hoping to understand why ReadFile was denying
>> access, and see if I could tweak some of the named pipe creation
>> flags. This is all very uninformed, but I was hoping to learn along
>> the way.
>
> As I mentioned above, this could be related to integrity checking.  If
> you're using user context switch method 1, try with method 2 or 3:
> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd2
> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3

Doesn't apply because I'm using a password, right?

Regards,
Shaddy



More information about the Cygwin-developers mailing list